Feeds

Industrial security - it's not the same as IT security

Niche market potential

Using blade systems to cut costs and sharpen efficiencies

In the past, equipment control for manufacturing processes on the shop floor tended to be carried out by discrete systems running arcane real time operating systems controlled by proprietary management systems that had no connection through to other systems.

In essence, this meant that the systems were secure, being "air locked" from everything else around them. The sensors fed information to a low-intelligence control unit that would send simple control sequences to actuators on the equipment. Sensor A shows that the temperature is too high here, actuator B opens up a little to let more coolant through, and so on.

If sensors sensed that something was way out of line, the controller just shut everything down for that piece of equipment. Problems only happened when there was a controller, sensor or actuator failure, and an engineer would be called in to physically replace the controller itself.

However, the drive for "IP everywhere" has started to bring such controls into the standard IT environment, and has introduced a new set of issues for the production line management, as well as the IT department.

For a start, many of these systems will have been in place for many years, and on the tried and tested principle of "if it isn't broken, don't fix it", the production line manager will not take kindly to anyone coming in and trying to replace any controllers, sensors and actuators, nor to "upgrade" them with additional pieces of technology to make them more amenable to being included in the overall IT environment.

Furthering the same principle, many of these controllers will not have had their internal software or firmware updated for years, leading to many different versions of systems being in place. However, as new equipment comes in, the pressure builds to include older equipment into the new systems, ensuring that the end-to-end process can be fully controlled - and that any failure along the line can be better managed by throttling back the whole production line moving part of the process to another machine, or whatever.

Once the systems have been brought in to an IP environment, however, the main issue that raises its head is security. Whereas the old air locked systems were inherently secure, requiring someone on-site with in-depth knowledge of the existing proprietary system to have any idea as to how to control it, the new systems can be accessed through standard tools over IP from anywhere in the world - if security is not applied in the correct manner.

At the basic level, this seems to be the same requirements as for a standard IT network - there is the need to stop outsiders from breaking in to the environment and gaining control, to stop disgruntled people on site from sabotaging the process, and to safeguard against accidental damage by workers.

But the shop floor tends not to be the same as other parts of the IT empire. We're not looking at highly standardised operating systems, at SNMP (simple networking management protocol) events that can be easily captured, at highly manageable end points that can be accessed directly through existing systems management tools.

Also, where we have a problem in the general IT infrastructure and we call in an engineer who will need to be able to trace through the infrastructure to identify root cause, on the production line, we will generally know what the root cause is, and any engineer coming in will be pointed to a specific piece of equipment with the instruction to fix it - yet our new environments will enable any problems that this engineer may introduce into the system to have knock on effects all the way through the entire process.

Therefore, a different approach to industrial security is required. We have to have a solution that is as unobtrusive as possible, that integrates directly into existing control systems that understands the levels of granularity that are required to provide the security that we need, and yet can enable the IT department to see the overall environment as part of the main IT infrastructure.

One such company that does this is Innominate, a German company that provides "embedded" security solutions aimed fairly and squarely at the industrial sector. Its mGuard solution provides a non-intrusive solution that not only gives on-site security against malicious and accidental problems, but also gives full virtual private network (VPN) access that ties in directly with the rest of the security solution so that external engineers can access equipment remotely - so providing faster response and cheaper fixes for problems where on-site presence is not required.

Other areas covered by Innominate include operating system agnostic anti-virus, and high availability redundant firewalls with fail over to maintain up time for remote access.

There are others in the market - Siemens and IBM both provide solutions via their professional services groups, and are increasingly building IP and security directly into industrial solutions.

Innominate is focused purely on this market - and seems to really understand what it is doing. However, it is a small company, and must manage its growth carefully. Its target market is large on a worldwide basis, and there are few players. This points towards the possibility of high growth - but this could also stretch the company's capabilities if not handled correctly. Innominate could also rapidly become a takeover target and this would also need careful handling to ensure that existing customers are fully supported while prospects are made to feel that the future is secure. Such a takeover could, paradoxically, provide the long-term stability for customers that may not be so apparent within a smaller company.

Overall, Quocirca believes that industrial security has to be dealt with - and that the growth of new equipment that has IP built directly into it means that it is becoming harder to disregard existing systems. As soon as a company looks at connecting two pieces of equipment together in a control sense, then security will have to be considered.

Copyright © 2007, Quocirca

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.